Hi all, I have a strange problem with my firewall. I use a Cisco 3000 VPN client to connect to my office from my home pc. When the VPN client is not running, the dns works fine. Browsing is fine. The pc is on my internal 192.168.0.x network and uses an external DNS setting. When the VPN client is running, the pc gets the address 172.x.x.x assigned by the VPN dhcp server. The DNS is forced to use my office DNS addresses. I am running XP and I have confirmed that the pc has the correct DNS addresses for my office but no DNS requests are getting past the firewall. An nslookup times out when on the VPN. I have only two domain entries in the Shorewall rules file: ACCEPT fw net udp domain ACCEPT fw net tcp domain Further info: The VPN client is using tcp port 10000 in transparent mode so it is hidden from my ISP. I can do anything I want via IP address (telnet, ssh, http) when on the VPN but nothing with FQDN. Thanks, Craig
CRAIG SHARP wrote:> Hi all, > > I have a strange problem with my firewall. I use a Cisco 3000 VPN > client to connect to my office from my home pc. > > When the VPN client is not running, the dns works fine. Browsing is > fine. The pc is on my internal 192.168.0.x network and uses an > external DNS setting. > > When the VPN client is running, the pc gets the address 172.x.x.x > assigned by the VPN dhcp server. The DNS is forced to use my office > DNS addresses. I am running XP and I have confirmed that the pc has > the correct DNS addresses for my office but no DNS requests are getting > past the firewall.Is your VPN client setting up a route through the tunnel to the DNS server? If not, it''s not going to work unless the server is also publicly accessible. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
CRAIG SHARP wrote:> Hi all, > > I have a strange problem with my firewall. I use a Cisco 3000 VPN > client to connect to my office from my home pc. > > When the VPN client is not running, the dns works fine. Browsing is > fine. The pc is on my internal 192.168.0.x network and uses an > external DNS setting. > > When the VPN client is running, the pc gets the address 172.x.x.x > assigned by the VPN dhcp server. The DNS is forced to use my office > DNS addresses. I am running XP and I have confirmed that the pc has > the correct DNS addresses for my office but no DNS requests are getting > past the firewall. An nslookup times out when on the VPN. >The other problem that I have seen with VPN on Windoze is that it will route requests directly to a host (won''t use the tunnel) yet it will use the local VPN IP address as the source address! This of course means that replies can''t be routed properly. In my setup (http://www.shorewall.net/myfiles.htm), I have the following rule: DROP net:eth3:!206.124.146.180 fw all That rule is there just to trap all of the crap with a VPN source address that XP on my laptop spews out. e.g., 702 45176 DROP all -- eth3 * !206.124.146.180 0.0.0.0/0 state NEW All of these problems can be worked around by setting your VPN client to use the remote VPN gateway as its default gateway. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom, Thanks for the reply. It did turn out to be the vpn. For some reason it would not route the DNS traffic. I generated a new client and had to set stateful firewall on. Now it is working. Craig -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, February 18, 2003 12:00 PM To: CRAIG SHARP Cc: shorewall-users@lists.shorewall.net Subject: Re: [Shorewall-users] DNS over vpn not working CRAIG SHARP wrote:> Hi all, > > I have a strange problem with my firewall. I use a Cisco 3000 VPN > client to connect to my office from my home pc. > > When the VPN client is not running, the dns works fine. Browsing is > fine. The pc is on my internal 192.168.0.x network and uses an > external DNS setting. > > When the VPN client is running, the pc gets the address 172.x.x.x > assigned by the VPN dhcp server. The DNS is forced to use my office > DNS addresses. I am running XP and I have confirmed that the pc has > the correct DNS addresses for my office but no DNS requests are getting > past the firewall. An nslookup times out when on the VPN. >The other problem that I have seen with VPN on Windoze is that it will route requests directly to a host (won''t use the tunnel) yet it will use the local VPN IP address as the source address! This of course means that replies can''t be routed properly. In my setup (http://www.shorewall.net/myfiles.htm), I have the following rule: DROP net:eth3:!206.124.146.180 fw all That rule is there just to trap all of the crap with a VPN source address that XP on my laptop spews out. e.g., 702 45176 DROP all -- eth3 * !206.124.146.180 0.0.0.0/0 state NEW All of these problems can be worked around by setting your VPN client to use the remote VPN gateway as its default gateway. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.456 / Virus Database: 256 - Release Date: 2/18/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.456 / Virus Database: 256 - Release Date: 2/18/2003